Open source software security

Using the Google Safe Browsing API from PHP

Google's new Safe Browsing API is a neat service that allows you to poll the MD5 hashes of known malware and phishing sites. This is especially handy because you can check URLs submitted to your site or service by internet users to make sure that they don't include malicious links. The API is relatively well documented at http://code.google.com/apis/safebrowsing/developers_guide.html so the purpose of this tutorial is mainly focused on how you can utilize PHP to implement the API. If you use Firefox you are probably familiar with the malware or phishing warning screen that shows up when you visit suspicious sites. This feature implements the Safe Browsing API.

Making calls to the Safe Browsing API is pretty straightforward. You need to first register with Google to get a developer key in order to access the service. Once you do this you simply call a certain URL which responds with a list of MD5 hash values to suspected malware sites. The first thing you should do is set up a local database to store these values. In MySQL you can use the following to set up a simple table to store these:

This script will handle the initial import but may need some tweaking for polling updates to the list. Note that allow_url_fopen must be set to 'On' in your php.ini file for this script to work (otherwise you'll get an error because the PHP engine can't open remotely hosted files).

Note that this script shouldn't be run every time a user submits a URL. According to Google your client (the database) should only refresh its list of suspected malware sites every half hour. Scheduling this script from cron is probably the easiest way to implement it.

Once the data has been pulled into your local database you can implement a simple service using the following PHP code snippit. I haven't bothered to implement all the permutations for checks suggested by Google, but it should be more than enough for proof-of-concept:

Try pulling up this script with the url ?lookup=http://malware.testing.google.test/testing/malware and you should be presented with the warning message if everything is working properly. You can probably tweak this functionality to better support for your projects (depending on whether you need AJAX support or whatnot) but in its current form it can demonstrate functionality and be used for feasibility.